<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8" />
    <title>net Command (net user/group)</title>
    <link rel="stylesheet" type="text/css" href="common/style.css" />
    <script language="JavaScript" type="text/javascript" src="common/script.js"></script>
  </head>
  <body>
    <h1 class="title">net Command (net user/group)</h1>
      <h2 class="toc"><a href="#toc" class="collapse" id="a-toc" onclick="showhide('toc');">-</a> <a name="toc">Table of Contents</a></h2>
        <div class="toc" id="div-toc">
          <ul>
            <li><a href="#Summary">Tool Overview</a></li>
            <li><a href="#ExecCondition">Tool Operation Overview</a></li>
            <li><a href="#Findings">Information Acquired from Log</a></li>
            <li><a href="#SuccessCondition">Evidence That Can Be Confirmed When Execution is Successful</a></li>
            <li><a href="#KeyEvents">Main Information Recorded at Execution</a></li>
            <li><a href="#SourceDetails">Details: Source Host</a></li>
            <li><a href="#DestinationDetails">Details: Destination Host</a></li>
            <li><a href="#Packets">Packet Capture</a></li>
            <li><a href="#Notes">Remarks</a></li>
          </ul>
          <p class="toc_command"><a href="#" onclick="collapseall('s');">Open all sections</a> | <a href="#" onclick="collapseall('h');">Close all sections</a></p>
          <hr class="section_divider" />
        </div>
      <h2 class="section"><a href="#Summary" class="collapse" id="a-Summary" onclick="showhide('Summary');">-</a> <a name="Summary">Tool Overview</a></h2>
        <div class="section" id="div-Summary">
          <dl class="table">
            <dt class="table">Category</dt>
              <dd class="table">Adding or Deleting a User/Group</dd>
            <dt class="table">Description</dt>
              <dd class="table">Adds a user account in a host or domain.</dd>
            <dt class="table">Example of Presumed Tool Use During an Attack</dt>
              <dd class="table">This tool is used to create an account and log in to another host.</dd>
          </dl>
        </div>
      <h2 class="section"><a href="#ExecCondition" class="collapse" id="a-ExecCondition" onclick="showhide('ExecCondition');">-</a> <a name="ExecCondition">Tool Operation Overview</a></h2>
        <div class="section" id="div-ExecCondition">
          <table class="border">
            <thead>
              <tr class="border">
                <th class="border_header">Item</th>
                <th class="border_header">Source Host</th>
                <th class="border_header">Domain Controller</th>
              </tr>
            </thead>
            <tbody>
              <tr class="border">
                <td class="border_header">OS</td>
                <td class="border">Windows</td>
                <td class="border">Windows Server</td>
              </tr>
              <tr class="border">
                <td class="border_header">Belonging to Domain</td>
                <td class="border" colspan="2">Required</td>
              </tr>
              <tr class="border">
                <td class="border_header">Rights</td>
                <td class="border" colspan="2">Administrator</td>
              </tr>
              <tr class="border">
                <td class="border_header">Service</td>
                <td class="border">Workstation</td>
                <td class="border">Active Directory Domain Services</td>
              </tr>
            </tbody>
          </table>
        </div>
      <h2 class="section"><a href="#Findings" class="collapse" id="a-Findings" onclick="showhide('Findings');">-</a> <a name="Findings">Information Acquired from Log</a></h2>
        <div class="section" id="div-Findings">
          <dl class="table">
            <dt class="table">Standard Settings</dt>
              <dd class="table"><ul>
                <li>Source host<ul>
                  <li>Execution history (Prefetch)</li>
                  </ul></li>
                <li>Domain Controller<ul>
                  <li>A record that a user group was added, changed, or deleted (audit policy)</li>
                  </ul></li>
                </ul></dd>
            <dt class="table">Additional Settings</dt>
              <dd class="table"><ul>
                <li>Source host<ul>
                  <li>Execution history (audit policy, Sysmon)</li>
                  <li>User name, password, or group name specified by the command line (Sysmon)</li>
                  </ul></li>
                </ul></dd>
          </dl>
        </div>
      <h2 class="section"><a href="#SuccessCondition" class="collapse" id="a-SuccessCondition" onclick="showhide('SuccessCondition');">-</a> <a name="SuccessCondition">Evidence That Can Be Confirmed When Execution is Successful</a></h2>
        <div class="section" id="div-SuccessCondition">
          <ul>
            <li>Change of the user/group (Event ID: 4720, 4726, 4728, 4737, etc.) is recorded in the event log &quot;Security&quot;.</li>
          </ul>
        </div>
      <h2 class="section"><a href="#KeyEvents" class="collapse" id="a-KeyEvents" onclick="showhide('KeyEvents');">-</a> <a name="KeyEvents">Main Information Recorded at Execution</a></h2>
        <div class="section" id="div-KeyEvents">
          <h3 class="subsection"><a href="#KeyEvents-Source" class="collapse" id="a-KeyEvents-Source" onclick="showhide('KeyEvents-Source');">-</a> <a name="KeyEvents-Source">Source Host</a></h3>
            <div class="section" id="div-KeyEvents-Source">
              <h4>Event log</h4>
                <table class="border">
                  <thead>
                    <tr class="border">
                      <th class="border_header">#</th>
                      <th class="border_header">Log</th>
                      <th class="border_header">Event ID</th>
                      <th class="border_header">Task Category</th>
                      <th class="border_header">Event Details</th>
                    </tr>
                  </thead>
                  <tbody>
                    <tr class="border">
                      <td class="border">1</td>
                      <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                      <td class="border">1</td>
                      <td class="border">Process Create (rule: ProcessCreate)</td>
                      <td class="border">Process Create.<ul>
                        <li><span class="strong">CommandLine</span>: Command line of the execution command (net user [User Name to Add] [Password] /add /domain)</li>
                        <li><span class="strong">UtcTime</span>: Process execution date and time (UTC)</li>
                        <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                        <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\net.exe)</li>
                        <li><span class="strong">User</span>: Execute as user</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">2</td>
                      <td class="border">Security</td>
                      <td class="border">4689</td>
                      <td class="border">Process Termination</td>
                      <td class="border">A process has exited.<ul>
                        <li><span class="strong">Process Information &gt; Exit Status</span>: Process return value (0x0)</li>
                        <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (account name)</li>
                        <li><span class="strong">Log Date and Time</span>: Process terminated date and time (local time)</li>
                        <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                        <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file (C:\Windows\System32\net.exe)</li>
                        <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (user SID)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">3</td>
                      <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                      <td class="border">1</td>
                      <td class="border">Process Create (rule: ProcessCreate)</td>
                      <td class="border">Process Create.<ul>
                        <li><span class="strong">ParentImage</span>: Executable file of the parent process (C:\Windows\System32\net.exe)</li>
                        <li><span class="strong">CommandLine</span>: Command line of the execution command (net1 user [User Name to Add] [Password] /add /domain)</li>
                        <li><span class="strong">ParentCommandLine</span>: Command line of the parent process (net user [User Name to Add] [Password] /add /domain)</li>
                        <li><span class="strong">UtcTime</span>: Process execution date and time (UTC)</li>
                        <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                        <li><span class="strong">User</span>: Execute as user</li>
                        <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\net1.exe)</li>
                        </ul></td>
                    </tr>
                  </tbody>
                </table>
              <h4>Prefetch</h4>
                <ul>
                  <li>C:\Windows\Prefetch\NET1.EXE-[RANDOM].pf</li>
                  <li>C:\Windows\Prefetch\NET.EXE-[RANDOM].pf</li>
                </ul>
            </div>
          <h3 class="subsection"><a href="#KeyEvents-AD" class="collapse" id="a-KeyEvents-AD" onclick="showhide('KeyEvents-AD');">-</a> <a name="KeyEvents-AD">Domain Controller</a></h3>
            <div class="section" id="div-KeyEvents-AD">
              <h4>Event log</h4>
                <table class="border">
                  <thead>
                    <tr class="border">
                      <th class="border_header">#</th>
                      <th class="border_header">Log</th>
                      <th class="border_header">Event ID</th>
                      <th class="border_header">Task Category</th>
                      <th class="border_header">Event Details</th>
                    </tr>
                  </thead>
                  <tbody>
                    <tr class="border">
                      <td class="border">1</td>
                      <td class="border">Security</td>
                      <td class="border">4661</td>
                      <td class="border">SAM</td>
                      <td class="border">A handle to an object was requested.<ul>
                        <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                        <li><span class="strong">Object &gt; Object Name</span>: Target object name (DN)</li>
                        <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (administrator)</li>
                        <li><span class="strong">Access Request Information &gt; Access</span>: Requested privilege (DELETE)</li>
                        <li><span class="strong">Object &gt; Object Server</span>: SecurityAccount Manager (Security Account Manager)</li>
                        <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                        <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle  (C:\Windows\System32\lsass.exe)</li>
                        <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SID of the administrator)</li>
                        <li><span class="strong">Object &gt; Object Type</span>: Target category (SAM_DOMAIN)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">2</td>
                      <td class="border">Security</td>
                      <td class="border">4624</td>
                      <td class="border">Logon</td>
                      <td class="border">An account was successfully logged on.<ul>
                        <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                        <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (S-1-0-0/-/-)</li>
                        <li><span class="strong">New Logon &gt; Logon ID/Logon GUID</span>: Session ID of the user who was logged on</li>
                        <li><span class="strong">Detailed Authentication Information &gt; Package Name (NTLM only)</span>: NTLM version (-)</li>
                        <li><span class="strong">Detailed Authentication Information &gt; Logon Process</span>: Process used for logon (Kerberos)</li>
                        <li><span class="strong">Network Information &gt; Source Port</span>: Source port number</li>
                        <li><span class="strong">New Logon &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who was logged on ([SID of Administrator]/[Administrator]/[Domain])</li>
                        <li><span class="strong">Logon Type</span>: Logon path, method, etc. (3=Network)</li>
                        <li><span class="strong">Network Information &gt; Workstation Name</span>: Name of the host that requested the logon</li>
                        <li><span class="strong">Detailed Authentication Information &gt; Key Length</span>: Length of the key used for the authentication (0)</li>
                        <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file</li>
                        <li><span class="strong">Detailed Authentication Information &gt; Authentication Package</span>: Authentication package used (Kerberos)</li>
                        <li><span class="strong">Network Information &gt; Source Network Address</span>: IP address that requested the logon</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">3</td>
                      <td class="border">Security</td>
                      <td class="border">4737</td>
                      <td class="border">Security Group Management</td>
                      <td class="border">A security-enabled global group was changed.<ul>
                        <li><span class="strong">Changed Attribute &gt; SID History</span>: Changed history of the SID (-)</li>
                        <li><span class="strong">Group &gt; Security ID</span>: Changed SID of the group (SID of the domain administrator group)</li>
                        <li><span class="strong">Group &gt; Group Domain</span>: Changed domain to which the group belongs (Domain)</li>
                        <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (administrator)</li>
                        <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                        <li><span class="strong">Additional Information &gt; Privileges</span>: Changed privileges of the group (-)</li>
                        <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SID of the administrator)</li>
                        <li><span class="strong">Changed Attribute &gt; SAM Account Name</span>: Changed name of the SAM account (-)</li>
                        <li><span class="strong">Group &gt; Group Name</span>: Changed name of the group (Domain Admins)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">4</td>
                      <td class="border">Security</td>
                      <td class="border">4728</td>
                      <td class="border">Security Group Management</td>
                      <td class="border">A member was added to a security-enabled global group.<ul>
                        <li><span class="strong">Group &gt; Security ID</span>: SID of the group to which a member was added (SID of the domain administrator group)</li>
                        <li><span class="strong">Group &gt; Group Domain</span>: Domain that the group to which a member was added belongs to (Domain)</li>
                        <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (administrator)</li>
                        <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                        <li><span class="strong">Member &gt; Security ID</span>: SID of the user who was added to the global group (SID of the created user)</li>
                        <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SID of the administrator)</li>
                        <li><span class="strong">Member &gt; Account Name</span>: Name of the account that was added to the global group (CN=[Created User Name],CN=[OU],DC=[DN])</li>
                        <li><span class="strong">Group &gt; Group Name</span>: Name of the group to which a member was added (Domain Admins)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">5</td>
                      <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                      <td class="border">3</td>
                      <td class="border">Network connection detected (rule: NetworkConnect)</td>
                      <td class="border">Network connection detected.<ul>
                        <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                        <li><span class="strong">Image</span>: Path to the executable file (System)</li>
                        <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID (4)</li>
                        <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
                        <li><span class="strong">SourceIp/SourceHostname/SourcePort</span>: Source IP address/Host name/Port number (Domain Controller port: 445)</li>
                        <li><span class="strong">DestinationIp/DestinationHostname/DestinationPort</span>: Destination IP address/Host name/Port number (source host)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">6</td>
                      <td class="border">Security</td>
                      <td class="border">4634</td>
                      <td class="border">Logoff</td>
                      <td class="border">An account was logged off.<ul>
                        <li><span class="strong">Logon Type</span>: Logon path, method, etc. (3=Network)</li>
                        <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool ([SID of Administrator]/[Administrator]/[Domain])</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">7</td>
                      <td class="border">Security</td>
                      <td class="border">4661</td>
                      <td class="border">SAM</td>
                      <td class="border">A handle to an object was requested.<ul>
                        <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                        <li><span class="strong">Object &gt; Object Name</span>: Target object name (DC=[DN])</li>
                        <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (administrator)</li>
                        <li><span class="strong">Access Request Information &gt; Access</span>: Requested privilege (DELETE)</li>
                        <li><span class="strong">Object &gt; Object Server</span>: SecurityAccount Manager (Security Account Manager)</li>
                        <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                        <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\lsass.exe)</li>
                        <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SID of the administrator)</li>
                        <li><span class="strong">Object &gt; Object Type</span>: Target category (SAM_DOMAIN)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">8</td>
                      <td class="border">Security</td>
                      <td class="border">4624</td>
                      <td class="border">Logon</td>
                      <td class="border">An account was successfully logged on.<ul>
                        <li><span class="strong">Network Information &gt; Source Port</span>: Source port number</li>
                        <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (S-1-0-0/-/-)</li>
                        <li><span class="strong">New Logon &gt; Logon ID/Logon GUID</span>: Session ID of the user who was logged on</li>
                        <li><span class="strong">Detailed Authentication Information &gt; Logon Process</span>: Process used for logon (Kerberos)</li>
                        <li><span class="strong">New Logon &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who was logged on ([SID of Administrator]/[Administrator]/[Domain])</li>
                        <li><span class="strong">Logon Type</span>: Logon path, method, etc. (3=Network)</li>
                        <li><span class="strong">Network Information &gt; Workstation Name</span>: Name of the host that requested the logon</li>
                        <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file</li>
                        <li><span class="strong">Network Information &gt; Source Network Address</span>: IP address that requested the logon</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">9</td>
                      <td class="border">Security</td>
                      <td class="border">4634</td>
                      <td class="border">Logoff</td>
                      <td class="border">An account was logged off.<ul>
                        <li><span class="strong">Logon Type</span>: Logon path, method, etc. (3=Network)</li>
                        <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool ([SID of Administrator]/[Administrator]/[Domain])</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">10</td>
                      <td class="border">Security</td>
                      <td class="border">4726</td>
                      <td class="border">User Account Management</td>
                      <td class="border">A user account was deleted.<ul>
                        <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (administrator)</li>
                        <li><span class="strong">Target Account &gt; Account Domain</span>: Domain that the account for which an attempt was made to reset the password belongs to (Domain)</li>
                        <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                        <li><span class="strong">Target Account &gt; Account Name</span>: Name of the account for which an attempt was made to reset the password (deleted user name)</li>
                        <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SID of the administrator)</li>
                        <li><span class="strong">Target Account &gt; Security ID</span>: SID of the user for which an attempt was made to reset the password (SID of the general user)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">11</td>
                      <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                      <td class="border">3</td>
                      <td class="border">Network connection detected (rule: NetworkConnect)</td>
                      <td class="border">Network connection detected.<ul>
                        <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                        <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32)</li>
                        <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                        <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
                        <li><span class="strong">SourceIp/SourceHostname/SourcePort</span>: Source IP address/Host name/Port number (Domain Controller ports: 445, 88)</li>
                        <li><span class="strong">DestinationIp/DestinationHostname/DestinationPort</span>: Destination IP address/Host name/Port number (source host)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">12</td>
                      <td class="border">Security</td>
                      <td class="border">4661</td>
                      <td class="border">SAM</td>
                      <td class="border">A handle to an object was requested.<ul>
                        <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                        <li><span class="strong">Object &gt; Object Name</span>: Target object name (DN)</li>
                        <li><span class="strong">Access Request Information &gt; Access</span>: Requested privilege (DELETE)</li>
                        <li><span class="strong">Object &gt; Object Server</span>: SecurityAccount Manager (Security Account Manager)</li>
                        <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C\Windows\System32\lsass.exe)</li>
                        <li><span class="strong">Object &gt; Object Type</span>: Target category (SAM_DOMAIN)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">13</td>
                      <td class="border">Security</td>
                      <td class="border">4624</td>
                      <td class="border">Logon</td>
                      <td class="border">An account was successfully logged on.<ul>
                        <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal) (0x0)</li>
                        <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (S-1-0-0/-/-)</li>
                        <li><span class="strong">New Logon &gt; Logon ID/Logon GUID</span>: Session ID of the user who was logged on</li>
                        <li><span class="strong">Detailed Authentication Information &gt; Logon Process</span>: Process used for logon (Kerberos)</li>
                        <li><span class="strong">Network Information &gt; Source Port</span>: Source port number</li>
                        <li><span class="strong">New Logon &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who was logged on ([SID of Administrator]/[Administrator]/[Domain])</li>
                        <li><span class="strong">Logon Type</span>: Logon path, method, etc. (3=Network)</li>
                        <li><span class="strong">Network Information &gt; Workstation Name</span>: Name of the host that requested the logon</li>
                        <li><span class="strong">Detailed Authentication Information &gt; Key Length</span>: Length of the key used for the authentication (0)</li>
                        <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file (-)</li>
                        <li><span class="strong">Detailed Authentication Information &gt; Authentication Package</span>: Authentication package used (Kerberos)</li>
                        <li><span class="strong">Network Information &gt; Source Network Address</span>: IP address that requested the logon</li>
                        <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the authentication (0x0)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">14</td>
                      <td class="border">Security</td>
                      <td class="border">4722</td>
                      <td class="border">User Account Management</td>
                      <td class="border">A user account was enabled.<ul>
                        <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (administrator)</li>
                        <li><span class="strong">Target Account &gt; Account Domain</span>: Domain to which the enabled account belongs (Domain)</li>
                        <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                        <li><span class="strong">Target Account &gt; Account Name</span>: Name of the enabled account (name of the added user)</li>
                        <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SID of the administrator)</li>
                        <li><span class="strong">Target Account &gt; Security ID</span>: SID of the enabled user (SID of the general user)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">15</td>
                      <td class="border">Security</td>
                      <td class="border">4720</td>
                      <td class="border">User Account Management</td>
                      <td class="border">A user account was created.<ul>
                        <li><span class="strong">Attribute &gt; Old UAC Value</span>: Old UAC value for the user that was created (0x0)</li>
                        <li><span class="strong">Attribute &gt; User Account Control</span>: Account control for the user that was created</li>
                        <li><span class="strong">Attribute &gt; Account Expiration Date</span>: Date on which the created user account expires</li>
                        <li><span class="strong">Attribute &gt; Password Last Set</span>: Last set password for the created user</li>
                        <li><span class="strong">Attribute &gt; SID History</span>: SID history of the created user (-)</li>
                        <li><span class="strong">New Account &gt; Account Name</span>: Name of the created account (name of the added user)</li>
                        <li><span class="strong">Attribute &gt; Logon Time</span>: Time at which the created user logged on</li>
                        <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SID of the administrator)</li>
                        <li><span class="strong">Attribute &gt; New UAC Value</span>: New UAC value for the created user (0x15)</li>
                        <li><span class="strong">Attribute &gt; Profile Path</span>: Path to profile of the created user</li>
                        <li><span class="strong">Attribute &gt; User Principal Name</span>: Principal name of the created user (-)</li>
                        <li><span class="strong">Attribute &gt; Allowed Delegation Destination</span>: Delegation destination allowed for the created user (-)</li>
                        <li><span class="strong">New Account &gt; Security ID</span>: SID of the created user (SID of the general user)</li>
                        <li><span class="strong">Attribute &gt; Primary Group ID</span>: Primary group ID to which the created user belongs (513)</li>
                        <li><span class="strong">Attribute &gt; Display Name</span>: Display name for the created user</li>
                        <li><span class="strong">Attribute &gt; SAM Account Name</span>: SAM account name for the created user (added user name)</li>
                        <li><span class="strong">New Account &gt; Account Domain</span>: Domain to which the created user belongs (Domain)</li>
                        <li><span class="strong">Attribute &gt; User Workstation</span>: Workstation name for the created user</li>
                        <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (administrator)</li>
                        <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                        <li><span class="strong">Additional Information &gt; Privileges</span>: Privilege information for the created user (-)</li>
                        <li><span class="strong">Attribute &gt; Home Directory</span>: Home directory for the created user</li>
                        <li><span class="strong">Attribute &gt; Script Path</span>: Script path for the created user</li>
                        <li><span class="strong">Attribute &gt; Home Drive</span>: Home drive for the created user</li>
                        <li><span class="strong">Attribute &gt; User Parameter</span>: Parameter for the created user</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">16</td>
                      <td class="border">Security</td>
                      <td class="border">4738</td>
                      <td class="border">User Account Management</td>
                      <td class="border">A user account was changed.<ul>
                        <li><span class="strong">Changed Attribute &gt; Home Drive</span>: Changed home drive of the user (-)</li>
                        <li><span class="strong">Target Account &gt; Account Name</span>: Changed name of the group (added user name)</li>
                        <li><span class="strong">Changed Attribute &gt; Display Name</span>: Changed display name of the user</li>
                        <li><span class="strong">Changed Attribute &gt; Script Path</span>: Changed path to the script of the user (-)</li>
                        <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SID of the administrator)</li>
                        <li><span class="strong">Changed Attribute &gt; Allowed Delegation Destination</span>: Changed delegation destination allowed for the user (-)</li>
                        <li><span class="strong">Target Account &gt; Account Domain</span>: Changed domain to which the group belongs (Domain)</li>
                        <li><span class="strong">Changed Attribute &gt; User Workstation</span>: Changed name of workstation of the user (-)</li>
                        <li><span class="strong">Changed Attribute &gt; SAM Account Name</span>: Changed name of SAM account of the user (-)</li>
                        <li><span class="strong">Target Account &gt; Security ID</span>: Changed SID of the group (SID of the general user)</li>
                        <li><span class="strong">Changed Attribute &gt; SID History</span>: Changed history of SID of the user (-)</li>
                        <li><span class="strong">Changed Attribute &gt; Account Expiration Date</span>: Changed date on which the user account expires</li>
                        <li><span class="strong">Changed Attribute &gt; Password Last Set</span>: Changed password of the user that was last set (execution time)</li>
                        <li><span class="strong">Changed Attribute &gt; User Principal Name</span>: Changed principal name of the user (-)</li>
                        <li><span class="strong">Changed Attribute &gt; User Parameter</span>: Changed parameter of the user (-)</li>
                        <li><span class="strong">Changed Attribute &gt; Primary Group ID</span>: Changed primary group ID to which the user belongs (-)</li>
                        <li><span class="strong">Changed Attribute &gt; New UAC Value</span>: New UAC value for the changed user (0x10)</li>
                        <li><span class="strong">Changed Attribute &gt; Old UAC Value</span>: Old UAC value for the changed user (0x15)</li>
                        <li><span class="strong">Changed Attribute &gt; User Account Control</span>: Changed account control for the user (the account is enabled)</li>
                        <li><span class="strong">Changed Attribute &gt; Logon Time</span>: Changed time at which the user logged on (-)</li>
                        <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (administrator)</li>
                        <li><span class="strong">Changed Attribute &gt; Home Directory</span>: Changed home directory of the user (-)</li>
                        <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                        <li><span class="strong">Additional Information &gt; Privileges</span>: Changed privileges of the user (-)</li>
                        <li><span class="strong">Changed Attribute &gt; Profile Path</span>: Changed path to the profile of the user (-)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">17</td>
                      <td class="border">Security</td>
                      <td class="border">4724</td>
                      <td class="border">User Account Management</td>
                      <td class="border">An attempt was made to reset an account password.<ul>
                        <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (administrator)</li>
                        <li><span class="strong">Target Account &gt; Account Domain</span>: Domain that the account for which an attempt was made to reset the password belongs to (Domain)</li>
                        <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                        <li><span class="strong">Target Account &gt; Account Name</span>: Name of the account for which an attempt was made to reset the password (added user name)</li>
                        <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SID of the administrator)</li>
                        <li><span class="strong">Target Account &gt; Security ID</span>: SID of the user for which an attempt was made to reset the password (SID of the general user)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">18</td>
                      <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                      <td class="border">3</td>
                      <td class="border">Network connection detected (rule: NetworkConnect)</td>
                      <td class="border">Network connection detected.<ul>
                        <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                        <li><span class="strong">Image</span>: Path to the executable file (System)</li>
                        <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                        <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
                        <li><span class="strong">SourceIp/SourceHostname/SourcePort</span>: Source IP address/Host name/Port number (Domain Controller port: 445)</li>
                        <li><span class="strong">DestinationIp/DestinationHostname/DestinationPort</span>: Destination IP address/Host name/Port number (source host)</li>
                        </ul></td>
                    </tr>
                    <tr class="border">
                      <td class="border">19</td>
                      <td class="border">Security</td>
                      <td class="border">4634</td>
                      <td class="border">Logoff</td>
                      <td class="border">An account was logged off.<ul>
                        <li><span class="strong">Logon Type</span>: Logon path, method, etc. (3=Network)</li>
                        <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool ([SID of Administrator]/[Administrator]/[Domain])</li>
                        </ul></td>
                    </tr>
                  </tbody>
                </table>
            </div>
        </div>
        <hr class="section_divider">
      <h2 class="section"><a href="#SourceDetails" class="collapse" id="a-SourceDetails" onclick="showhide('SourceDetails');">-</a> <a name="SourceDetails">Details: Source Host</a></h2>
        <div class="section" id="div-SourceDetails">
          <h3 class="subsection"><a href="#SourceDetails-EventLogs" class="collapse" id="a-SourceDetails-EventLogs" onclick="showhide('SourceDetails-EventLogs');">-</a> <a name="SourceDetails-EventLogs">Event Log</a></h3>
            <div class="section" id="div-SourceDetails-EventLogs">
              <table class="border">
                <thead>
                  <tr class="border">
                    <th class="border_header">#</th>
                    <th class="border_header">Event Log</th>
                    <th class="border_header">Event ID</th>
                    <th class="border_header">Task Category</th>
                    <th class="border_header">Event Details</th>
                  </tr>
                </thead>
                <tbody>
                  <tr class="border">
                    <td class="border" rowspan="2">1</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">1</td>
                    <td class="border">Process Create (rule: ProcessCreate)</td>
                    <td class="border">Process Create.<ul>
                      <li><span class="strong">LogonGuid/LogonId</span>: ID of the logon session</li>
                      <li><span class="strong">ParentProcessGuid/ParentProcessId</span>: Process ID of the parent process</li>
                      <li><span class="strong">ParentImage</span>: Executable file of the parent process</li>
                      <li><span class="strong">CurrentDirectory</span>: Work directory</li>
                      <li><span class="strong">CommandLine</span>: Command line of the execution command (net user [User Name to Add] [Password] /add /domain)</li>
                      <li><span class="strong">IntegrityLevel</span>: Privilege level (High)</li>
                      <li><span class="strong">ParentCommandLine</span>: Command line of the parent process</li>
                      <li><span class="strong">UtcTime</span>: Process execution date and time (UTC)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user</li>
                      <li><span class="strong">Hashes</span>: Hash value of the executable file</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\net.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4688</td>
                    <td class="border">Process Create</td>
                    <td class="border">A new process has been created.<ul>
                      <li><span class="strong">Process Information &gt; Required Label</span>: Necessity of privilege escalation</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Process Information &gt; Source Process Name</span>: Path to parent process that created the new process</li>
                      <li><span class="strong">Log Date and Time</span>: Process execution date and time (local time)</li>
                      <li><span class="strong">Process Information &gt; New Process Name</span>: Path to the executable file (C:\Windows\System32\net.exe)</li>
                      <li><span class="strong">Process Information &gt; Token Escalation Type</span>: Presence of privilege escalation</li>
                      <li><span class="strong">Process Information &gt; New Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Process Information &gt; Source Process ID</span>: Process ID of the parent process that created the new process. &quot;Creator Process ID&quot; in Windows 7</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">2</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">1</td>
                    <td class="border">Process Create (rule: ProcessCreate)</td>
                    <td class="border">Process Create.<ul>
                      <li><span class="strong">LogonGuid/LogonId</span>: ID of the logon session</li>
                      <li><span class="strong">ParentProcessGuid/ParentProcessId</span>: Process ID of the parent process</li>
                      <li><span class="strong">ParentImage</span>: Executable file of the parent process (C:\Windows\System32\net.exe)</li>
                      <li><span class="strong">CurrentDirectory</span>: Work directory</li>
                      <li><span class="strong">CommandLine</span>: Command line of the execution command (net1 user [User Name to Add] [Password] /add /domain)</li>
                      <li><span class="strong">IntegrityLevel</span>: Privilege level (High)</li>
                      <li><span class="strong">ParentCommandLine</span>: Command line of the parent process (net user [User Name to Add] [Password] /add /domain)</li>
                      <li><span class="strong">UtcTime</span>: Process execution date and time (UTC)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user</li>
                      <li><span class="strong">Hashes</span>: Hash value of the executable file</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\net1.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4688</td>
                    <td class="border">Process Create</td>
                    <td class="border">A new process has been created.<ul>
                      <li><span class="strong">Process Information &gt; Required Label</span>: Necessity of privilege escalation</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Process Information &gt; Source Process Name</span>: Path to the parent process that created the new process (C:\Windows\System32\net.exe)</li>
                      <li><span class="strong">Log Date and Time</span>: Process execution date and time (local time)</li>
                      <li><span class="strong">Process Information &gt; New Process Name</span>: Path to the executable file (C:\Windows\System32\net1.exe)</li>
                      <li><span class="strong">Process Information &gt; Token Escalation Type</span>: Presence of privilege escalation</li>
                      <li><span class="strong">Process Information &gt; New Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Process Information &gt; Source Process ID</span>: Process ID of the parent process that created the new process. &quot;Creator Process ID&quot; in Windows 7</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">3</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">10</td>
                    <td class="border">Process accessed (rule: ProcessAccess)</td>
                    <td class="border">Process accessed.<ul>
                      <li><span class="strong">SourceProcessGUID/SourceProcessId/SourceThreadId</span>: Process of the access source process/Thread ID</li>
                      <li><span class="strong">TargetProcessGUID/TargetProcessId</span>: Process ID of the access destination process</li>
                      <li><span class="strong">GrantedAccess</span>: Details of the granted access</li>
                      <li><span class="strong">SourceImage</span>: Path to access source process (C:\Windows\system32\net.exe)</li>
                      <li><span class="strong">TargetImage</span>: Path to the access destination process (C:\Windows\system32\net1.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">4</td>
                    <td class="border">Security</td>
                    <td class="border">5158</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has permitted a bind to a local port.<ul>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (17=UDP)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Bind local port (high port)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (389)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (Domain Controller)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (17=UDP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (outbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">5</td>
                    <td class="border">Security</td>
                    <td class="border">4703</td>
                    <td class="border">Token Right Adjusted Events</td>
                    <td class="border">A token right was adjusted.<ul>
                      <li><span class="strong">Disabled Privileges</span>: Disabled privileges (-)</li>
                      <li><span class="strong">Target Account &gt; Security ID/Account Name/Account Domain</span>: Target user SID/Account name/Domain (S-1-0-0/[Account Name]/[Domain])</li>
                      <li><span class="strong">Target Account &gt; Logon ID</span>: Session ID of the target user</li>
                      <li><span class="strong">Enabled Privileges</span>: Enabled privileges (SeIncreaseQuotaPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeSystemProfilePrivilege, SeSystemtimePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeBackupPrivilege, SeRestorePrivilege, SeShutdownPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeRemoteShutdownPrivilege, SeUndockPrivilege, SeManageVolumePrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege, SeDelegateSessionUserImpersonatePrivilege)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (SYSTEM/[Source Host Name]/[Domain Name])</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Process Information &gt; Process ID</span>: ID of the executed process</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process executed (C:\Windows\System32\lsass.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">6</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (Domain Controller IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (System)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (Domain Controller host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (445)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (high port)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (source host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (source host IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5158</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has permitted a bind to a local port.<ul>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Bind local port (high port)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID (4)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (System)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (445)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (Domain Controller)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (System)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (outbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID (4)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">7</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (destination host IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\lsass.exe)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (destination host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (88)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (high port)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (source host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (source host IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5158</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has permitted a bind to a local port.<ul>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Bind local port (high port)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (88)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (destination host)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (outbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">8</td>
                    <td class="border">Security</td>
                    <td class="border">4656</td>
                    <td class="border">File System/Other Object Access Events</td>
                    <td class="border">A handle to an object was requested.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including SYNCHRONIZE and WriteAttributes)</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\[Account Name]\AppData\Roaming\Microsoft\Credentials)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\lsass.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4663</td>
                    <td class="border">File System</td>
                    <td class="border">An attempt was made to access an object.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege</li>
                      <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Users\[Account Name]\AppData\Roaming\Microsoft\Credentials)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\lsass.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4658</td>
                    <td class="border">File System</td>
                    <td class="border">The handle to an object was closed.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\System32\lsass.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">9</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">5</td>
                    <td class="border">Process terminated (rule: ProcessTerminate)</td>
                    <td class="border">Process terminated.<ul>
                      <li><span class="strong">UtcTime</span>: Process terminated date and time (UTC)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\net1.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4689</td>
                    <td class="border">Process Termination</td>
                    <td class="border">A process has exited.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Process Information &gt; Exit Status</span>: Process return value (0x0)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (account name)</li>
                      <li><span class="strong">Log Date and Time</span>: Process terminated date and time (local time)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file (C:\Windows\System32\net1.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (user SID)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="4">10</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">11</td>
                    <td class="border">File created (rule: FileCreate)</td>
                    <td class="border">File created.<ul>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">TargetFilename</span>: Created file (C:\Windows\Prefetch\NET1.EXE-[RANDOM].pf)</li>
                      <li><span class="strong">CreationUtcTime</span>: File creation date and time (UTC)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4656</td>
                    <td class="border">File System/Other Object Access Events</td>
                    <td class="border">A handle to an object was requested.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (READ_CONTROL/-/[Hexadecimal])</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\Prefetch\NET1.EXE-[RANDOM].pf)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (source host)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SYSTEM)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4663</td>
                    <td class="border">File System</td>
                    <td class="border">An attempt was made to access an object.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege</li>
                      <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\Prefetch\NET1.EXE-[RANDOM].pf)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (source host)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SYSTEM)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4658</td>
                    <td class="border">File System</td>
                    <td class="border">The handle to an object was closed.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">11</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">5</td>
                    <td class="border">Process terminated (rule: ProcessTerminate)</td>
                    <td class="border">Process terminated.<ul>
                      <li><span class="strong">UtcTime</span>: Process terminated date and time (UTC)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\net.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4689</td>
                    <td class="border">Process Termination</td>
                    <td class="border">A process has exited.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Process Information &gt; Exit Status</span>: Process return value (0x0)</li>
                      <li><span class="strong">Log Date and Time</span>: Process terminated date and time (local time)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file (C:\Windows\System32\net.exe)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">12</td>
                    <td class="border">Security</td>
                    <td class="border">4656</td>
                    <td class="border">File System/Other Object Access Events</td>
                    <td class="border">A handle to an object was requested.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privileges (including WriteData or AddFile, and AppendData)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\Prefetch\NET.EXE-[ALPHANUM].pf)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4663</td>
                    <td class="border">File System</td>
                    <td class="border">An attempt was made to access an object.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\Prefetch\NET.EXE-[ALPHANUM].pf)</li>
                      <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4658</td>
                    <td class="border">File System</td>
                    <td class="border">The handle to an object was closed.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">13</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">1</td>
                    <td class="border">Process Create (rule: ProcessCreate)</td>
                    <td class="border">Process Create.<ul>
                      <li><span class="strong">LogonGuid/LogonId</span>: ID of the logon session</li>
                      <li><span class="strong">ParentProcessGuid/ParentProcessId</span>: Process ID of the parent process</li>
                      <li><span class="strong">ParentImage</span>: Executable file of the parent process</li>
                      <li><span class="strong">CurrentDirectory</span>: Work directory</li>
                      <li><span class="strong">CommandLine</span>: Command line of the execution command (net  group &quot;domain admins&quot; [User Name to Add] /add /domain)</li>
                      <li><span class="strong">IntegrityLevel</span>: Privilege level (High)</li>
                      <li><span class="strong">ParentCommandLine</span>: Command line of the parent process</li>
                      <li><span class="strong">UtcTime</span>: Process execution date and time (UTC)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user</li>
                      <li><span class="strong">Hashes</span>: Hash value of the executable file</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\net.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4688</td>
                    <td class="border">Process Create</td>
                    <td class="border">A new process has been created.<ul>
                      <li><span class="strong">Process Information &gt; Required Label</span>: Necessity of privilege escalation</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Process Information &gt; Source Process Name</span>: Path to parent process that created the new process</li>
                      <li><span class="strong">Log Date and Time</span>: Process execution date and time (local time)</li>
                      <li><span class="strong">Process Information &gt; New Process Name</span>: Path to the executable file (C:\Windows\System32\net.exe)</li>
                      <li><span class="strong">Process Information &gt; Token Escalation Type</span>: Presence of privilege escalation (1)</li>
                      <li><span class="strong">Process Information &gt; New Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Process Information &gt; Source Process ID</span>: Process ID of the parent process that created the new process. &quot;Creator Process ID&quot; in Windows 7</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">14</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">1</td>
                    <td class="border">Process Create (rule: ProcessCreate)</td>
                    <td class="border">Process Create.<ul>
                      <li><span class="strong">LogonGuid/LogonId</span>: ID of the logon session</li>
                      <li><span class="strong">ParentProcessGuid/ParentProcessId</span>: Process ID of the parent process</li>
                      <li><span class="strong">ParentImage</span>: Executable file of the parent process (C:\Windows\System32\net.exe)</li>
                      <li><span class="strong">CurrentDirectory</span>: Work directory</li>
                      <li><span class="strong">CommandLine</span>: Command line of the execution command (C:\Windows\system32\net1  group &quot;domain admins&quot; [User Name to Add] /add /domain)</li>
                      <li><span class="strong">IntegrityLevel</span>: Privilege level (High)</li>
                      <li><span class="strong">ParentCommandLine</span>: Command line of the parent process (net  group &quot;domain admins&quot; [User Name to Add] /add /domain)</li>
                      <li><span class="strong">UtcTime</span>: Process execution date and time (UTC)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user</li>
                      <li><span class="strong">Hashes</span>: Hash value of the executable file</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\net1.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4688</td>
                    <td class="border">Process Create</td>
                    <td class="border">A new process has been created.<ul>
                      <li><span class="strong">Process Information &gt; Required Label</span>: Necessity of privilege escalation</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Process Information &gt; Source Process Name</span>: Path to the parent process that created the new process (C:\Windows\System32\net.exe)</li>
                      <li><span class="strong">Log Date and Time</span>: Process execution date and time (local time)</li>
                      <li><span class="strong">Process Information &gt; New Process Name</span>: Path to the executable file (C:\Windows\System32\net1.exe)</li>
                      <li><span class="strong">Process Information &gt; Token Escalation Type</span>: Presence of privilege escalation (1)</li>
                      <li><span class="strong">Process Information &gt; New Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Process Information &gt; Source Process ID</span>: Process ID of the parent process that created the new process. &quot;Creator Process ID&quot; in Windows 7</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">15</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">10</td>
                    <td class="border">Process accessed (rule: ProcessAccess)</td>
                    <td class="border">Process accessed.<ul>
                      <li><span class="strong">SourceProcessGUID/SourceProcessId/SourceThreadId</span>: Process of the access source process/Thread ID</li>
                      <li><span class="strong">TargetProcessGUID/TargetProcessId</span>: Process ID of the access destination process</li>
                      <li><span class="strong">GrantedAccess</span>: Details of the granted access (0x1fffff)</li>
                      <li><span class="strong">SourceImage</span>: Path to access source process (C:\Windows\System32\net.exe)</li>
                      <li><span class="strong">TargetImage</span>: Path to the access destination process (C:\Windows\System32\net1.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">16</td>
                    <td class="border">Security</td>
                    <td class="border">4703</td>
                    <td class="border">Token Right Adjusted Events</td>
                    <td class="border">A token right was adjusted.<ul>
                      <li><span class="strong">Disabled Privileges</span>: Disabled privileges (-)</li>
                      <li><span class="strong">Target Account &gt; Security ID/Account Name/Account Domain</span>: Target user SID/Account name/Domain (S-1-0-0/[Account Name]/[Domain])</li>
                      <li><span class="strong">Target Account &gt; Logon ID</span>: Session ID of the target user</li>
                      <li><span class="strong">Enabled Privileges</span>: Enabled privileges (SeIncreaseQuotaPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeSystemProfilePrivilege, SeSystemtimePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeBackupPrivilege, SeRestorePrivilege, SeShutdownPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeRemoteShutdownPrivilege, SeUndockPrivilege, SeManageVolumePrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege, SeDelegateSessionUserImpersonatePrivilege)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (SYSTEM/[Source Host Name]$/[Domain Name])</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Process Information &gt; Process ID</span>: ID of the executed process</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process executed (C:\Windows\System32\lsass.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">17</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (destination host IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (System)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (destination host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID (4)</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (445)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (high port)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (source host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (source host IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5158</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has permitted a bind to a local port.<ul>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Bind local port (high port)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID (4)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (System)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (445)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (Domain Controller)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (System)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (outbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID (4)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">18</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">5</td>
                    <td class="border">Process terminated (rule: ProcessTerminate)</td>
                    <td class="border">Process terminated.<ul>
                      <li><span class="strong">UtcTime</span>: Process terminated date and time (UTC)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\net1.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4689</td>
                    <td class="border">Process Termination</td>
                    <td class="border">A process has exited.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Process Information &gt; Exit Status</span>: Process return value (0x0)</li>
                      <li><span class="strong">Log Date and Time</span>: Process terminated date and time (local time)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file (C:\Windows\System32\net1.exe)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">19</td>
                    <td class="border">Security</td>
                    <td class="border">4656</td>
                    <td class="border">File System/Other Object Access Events</td>
                    <td class="border">A handle to an object was requested.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\Prefetch\NET1.EXE-[ALPHANUM].pf)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (source host)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SYSTEM)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4663</td>
                    <td class="border">File System</td>
                    <td class="border">An attempt was made to access an object.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege</li>
                      <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\Prefetch\NET1.EXE-[ALPHANUM].pf)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (source host)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SYSTEM)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4658</td>
                    <td class="border">File System</td>
                    <td class="border">The handle to an object was closed.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (source host)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SYSTEM)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">20</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">5</td>
                    <td class="border">Process terminated (rule: ProcessTerminate)</td>
                    <td class="border">Process terminated.<ul>
                      <li><span class="strong">UtcTime</span>: Process terminated date and time (UTC)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\net.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4689</td>
                    <td class="border">Process Termination</td>
                    <td class="border">A process has exited.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Process Information &gt; Exit Status</span>: Process return value (0x0)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (account name)</li>
                      <li><span class="strong">Log Date and Time</span>: Process terminated date and time (local time)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file (C:\Windows\System32\net.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (user SID)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">21</td>
                    <td class="border">Security</td>
                    <td class="border">4656</td>
                    <td class="border">File System/Other Object Access Events</td>
                    <td class="border">A handle to an object was requested.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\Prefetch\NET.EXE-[RANDOM].pf)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (source host)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SYSTEM)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4663</td>
                    <td class="border">File System</td>
                    <td class="border">An attempt was made to access an object.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege</li>
                      <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\Prefetch\NET.EXE-[RANDOM].pf)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (source host)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SYSTEM)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4658</td>
                    <td class="border">File System</td>
                    <td class="border">The handle to an object was closed.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (source host)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SYSTEM)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">22</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">1</td>
                    <td class="border">Process Create (rule: ProcessCreate)</td>
                    <td class="border">Process Create.<ul>
                      <li><span class="strong">LogonGuid/LogonId</span>: ID of the logon session</li>
                      <li><span class="strong">ParentProcessGuid/ParentProcessId</span>: Process ID of the parent process</li>
                      <li><span class="strong">ParentImage</span>: Executable file of the parent process</li>
                      <li><span class="strong">CurrentDirectory</span>: Work directory</li>
                      <li><span class="strong">CommandLine</span>: Command line of the execution command (net user [User Name to Create] /delete /domain)</li>
                      <li><span class="strong">IntegrityLevel</span>: Privilege level (High)</li>
                      <li><span class="strong">ParentCommandLine</span>: Command line of the parent process</li>
                      <li><span class="strong">UtcTime</span>: Process execution date and time (UTC)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user</li>
                      <li><span class="strong">Hashes</span>: Hash value of the executable file</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\net.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4688</td>
                    <td class="border">Process Create</td>
                    <td class="border">A new process has been created.<ul>
                      <li><span class="strong">Process Information &gt; Required Label</span>: Necessity of privilege escalation</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Process Information &gt; Source Process Name</span>: Path to parent process that created the new process</li>
                      <li><span class="strong">Log Date and Time</span>: Process execution date and time (local time)</li>
                      <li><span class="strong">Process Information &gt; New Process Name</span>: Path to the executable file (C:\Windows\System32\net.exe)</li>
                      <li><span class="strong">Process Information &gt; Token Escalation Type</span>: Presence of privilege escalation (1)</li>
                      <li><span class="strong">Process Information &gt; New Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Process Information &gt; Source Process ID</span>: Process ID of the parent process that created the new process. &quot;Creator Process ID&quot; in Windows 7</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">23</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">1</td>
                    <td class="border">Process Create (rule: ProcessCreate)</td>
                    <td class="border">Process Create.<ul>
                      <li><span class="strong">LogonGuid/LogonId</span>: ID of the logon session</li>
                      <li><span class="strong">ParentProcessGuid/ParentProcessId</span>: Process ID of the parent process</li>
                      <li><span class="strong">ParentImage</span>: Executable file of the parent process (C:\Windows\System32\net.exe)</li>
                      <li><span class="strong">CurrentDirectory</span>: Work directory</li>
                      <li><span class="strong">CommandLine</span>: Command line of the execution command (C:\Windows\System32\net1  user netusertest /delete /domain)</li>
                      <li><span class="strong">IntegrityLevel</span>: Privilege level (High)</li>
                      <li><span class="strong">ParentCommandLine</span>: Command line of the parent process (net user [User Name to Create] /delete /domain)</li>
                      <li><span class="strong">UtcTime</span>: Process execution date and time (UTC)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user</li>
                      <li><span class="strong">Hashes</span>: Hash value of the executable file</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\net1.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4688</td>
                    <td class="border">Process Create</td>
                    <td class="border">A new process has been created.<ul>
                      <li><span class="strong">Process Information &gt; Required Label</span>: Necessity of privilege escalation</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Process Information &gt; Source Process Name</span>: Path to the parent process that created the new process (C:\Windows\System32\net.exe)</li>
                      <li><span class="strong">Log Date and Time</span>: Process execution date and time (local time)</li>
                      <li><span class="strong">Process Information &gt; New Process Name</span>: Path to the executable file (C:\Windows\System32\net1.exe)</li>
                      <li><span class="strong">Process Information &gt; Token Escalation Type</span>: Presence of privilege escalation (1)</li>
                      <li><span class="strong">Process Information &gt; New Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Process Information &gt; Source Process ID</span>: Process ID of the parent process that created the new process. &quot;Creator Process ID&quot; in Windows 7</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">24</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">10</td>
                    <td class="border">Process accessed (rule: ProcessAccess)</td>
                    <td class="border">Process accessed.<ul>
                      <li><span class="strong">SourceProcessGUID/SourceProcessId/SourceThreadId</span>: Process of the access source process/Thread ID</li>
                      <li><span class="strong">TargetProcessGUID/TargetProcessId</span>: Process ID of the access destination process</li>
                      <li><span class="strong">GrantedAccess</span>: Details of the granted access</li>
                      <li><span class="strong">SourceImage</span>: Path to access source process (C:\Windows\System32\net.exe)</li>
                      <li><span class="strong">TargetImage</span>: Path to the access destination process (C:\Windows\System32\net1.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">25</td>
                    <td class="border">Security</td>
                    <td class="border">4703</td>
                    <td class="border">Token Right Adjusted Events</td>
                    <td class="border">A token right was adjusted.<ul>
                      <li><span class="strong">Disabled Privileges</span>: Disabled privileges (-)</li>
                      <li><span class="strong">Target Account &gt; Security ID/Account Name/Account Domain</span>: Target user SID/Account name/Domain (S-1-0-0/[Account Name]/[Domain])</li>
                      <li><span class="strong">Target Account &gt; Logon ID</span>: Session ID of the target user</li>
                      <li><span class="strong">Enabled Privileges</span>: Enabled privileges (SeIncreaseQuotaPrivilege, SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeSystemProfilePrivilege, SeSystemtimePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeBackupPrivilege, SeRestorePrivilege, SeShutdownPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeRemoteShutdownPrivilege, SeUndockPrivilege, SeManageVolumePrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege, SeDelegateSessionUserImpersonatePrivilege)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (SYSTEM/[Source Host Name]/[Domain Name])</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Process Information &gt; Process ID</span>: ID of the executed process</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process executed (C:\Windows\System32\lsass.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">26</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (Domain Controller IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (System)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (Domain Controller host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID (4)</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (445)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (high port)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (source host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (source host IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5158</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has permitted a bind to a local port.<ul>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Bind local port (high port)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID (4)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (System)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (445)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (Domain Controller)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (System)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (outbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID (4)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">27</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">5</td>
                    <td class="border">Process terminated (rule: ProcessTerminate)</td>
                    <td class="border">Process terminated.<ul>
                      <li><span class="strong">UtcTime</span>: Process terminated date and time (UTC)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\net1.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4689</td>
                    <td class="border">Process Termination</td>
                    <td class="border">A process has exited.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Process Information &gt; Exit Status</span>: Process return value (0x0)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (account name)</li>
                      <li><span class="strong">Log Date and Time</span>: Process terminated date and time (local time)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file (C:\Windows\System32\net1.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (user SID)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">28</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">5</td>
                    <td class="border">Process terminated (rule: ProcessTerminate)</td>
                    <td class="border">Process terminated.<ul>
                      <li><span class="strong">UtcTime</span>: Process terminated date and time (UTC)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\net.exe)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4689</td>
                    <td class="border">Process Termination</td>
                    <td class="border">A process has exited.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Process Information &gt; Exit Status</span>: Process return value (0x0)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (account name)</li>
                      <li><span class="strong">Log Date and Time</span>: Process terminated date and time (local time)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file (C:\Windows\System32\net.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (user SID)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">29</td>
                    <td class="border">Security</td>
                    <td class="border">4656</td>
                    <td class="border">File System/Other Object Access Events</td>
                    <td class="border">A handle to an object was requested.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\Prefetch\NET1.EXE-[RANDOM].pf)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (source host)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SYSTEM)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4663</td>
                    <td class="border">File System</td>
                    <td class="border">An attempt was made to access an object.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege</li>
                      <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\Prefetch\NET1.EXE-[RANDOM].pf)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (source host)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SYSTEM)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4658</td>
                    <td class="border">File System</td>
                    <td class="border">The handle to an object was closed.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (source host)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SYSTEM)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">30</td>
                    <td class="border">Security</td>
                    <td class="border">4656</td>
                    <td class="border">File System/Other Object Access Events</td>
                    <td class="border">A handle to an object was requested.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\Prefetch\NET.EXE-[RANDOM].pf)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (source host)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SYSTEM)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Type of the file (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4663</td>
                    <td class="border">File System</td>
                    <td class="border">An attempt was made to access an object.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Access Request Information &gt; Access/Reason for Access/Access Mask</span>: Requested privilege</li>
                      <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target file name (C:\Windows\Prefetch\NET.EXE-[RANDOM].pf)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (source host)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SYSTEM)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Category of the target (File)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4658</td>
                    <td class="border">File System</td>
                    <td class="border">The handle to an object was closed.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (source host)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\System32\svchost.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SYSTEM)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                      </ul></td>
                  </tr>
                </tbody>
              </table>
            </div>
          <h3 class="subsection"><a href="#SourceDetails-USNJournal" class="collapse" id="a-SourceDetails-USNJournal" onclick="showhide('SourceDetails-USNJournal');">-</a> <a name="SourceDetails-USNJournal">USN Journal</a></h3>
            <div class="section" id="div-SourceDetails-USNJournal">
              <table class="border">
                <thead>
                  <tr class="border">
                    <th class="border_header">#</th>
                    <th class="border_header">File Name</th>
                    <th class="border_header">Process</th>
                    <th class="border_header">Attribute</th>
                  </tr>
                </thead>
                <tbody>
                  <tr class="border">
                    <td class="border" rowspan="3">1</td>
                    <td class="border">NET1.EXE-[RANDOM].pf</td>
                    <td class="border">FILE_CREATE</td>
                    <td class="border">archive+not_indexed</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">NET1.EXE-[RANDOM].pf</td>
                    <td class="border">DATA_EXTEND+FILE_CREATE</td>
                    <td class="border">archive+not_indexed</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">NET1.EXE-[RANDOM].pf</td>
                    <td class="border">CLOSE+DATA_EXTEND+FILE_CREATE</td>
                    <td class="border">archive+not_indexed</td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">2</td>
                    <td class="border">NET.EXE-[RANDOM].pf</td>
                    <td class="border">FILE_CREATE</td>
                    <td class="border">archive+not_indexed</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">NET.EXE-[RANDOM].pf</td>
                    <td class="border">DATA_EXTEND+FILE_CREATE</td>
                    <td class="border">archive+not_indexed</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">NET.EXE-[RANDOM].pf</td>
                    <td class="border">CLOSE+DATA_EXTEND+FILE_CREATE</td>
                    <td class="border">archive+not_indexed</td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">3</td>
                    <td class="border">NET1.EXE-[RANDOM].pf</td>
                    <td class="border">DATA_TRUNCATION</td>
                    <td class="border">archive+not_indexed</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">NET1.EXE-[RANDOM].pf</td>
                    <td class="border">DATA_EXTEND+DATA_TRUNCATION</td>
                    <td class="border">archive+not_indexed</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">NET1.EXE-[RANDOM].pf</td>
                    <td class="border">CLOSE+DATA_EXTEND+DATA_TRUNCATION</td>
                    <td class="border">archive+not_indexed</td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">4</td>
                    <td class="border">NET.EXE-[RANDOM].pf</td>
                    <td class="border">DATA_TRUNCATION</td>
                    <td class="border">archive+not_indexed</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">NET.EXE-[RANDOM].pf</td>
                    <td class="border">DATA_EXTEND+DATA_TRUNCATION</td>
                    <td class="border">archive+not_indexed</td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">NET.EXE-[RANDOM].pf</td>
                    <td class="border">CLOSE+DATA_EXTEND+DATA_TRUNCATION</td>
                    <td class="border">archive+not_indexed</td>
                  </tr>
                </tbody>
              </table>
            </div>
          <h3 class="subsection"><a href="#SourceDetails-MFT" class="collapse" id="a-SourceDetails-MFT" onclick="showhide('SourceDetails-MFT');">-</a> <a name="SourceDetails-MFT">MFT</a></h3>
            <div class="section" id="div-SourceDetails-MFT">
              <table class="border">
                <thead>
                  <tr class="border">
                    <th class="border_header">#</th>
                    <th class="border_header">Path</th>
                    <th class="border_header">Header Flag</th>
                    <th class="border_header">Validity</th>
                  </tr>
                </thead>
                <tbody>
                  <tr class="border">
                    <td class="border" rowspan="1">1</td>
                    <td class="border">[Drive Name]:\Windows\Prefetch\NET1.EXE-[RANDOM].pf</td>
                    <td class="border">FILE</td>
                    <td class="border">ALLOCATED</td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">2</td>
                    <td class="border">[Drive Name]:\Windows\Prefetch\NET.EXE-[RANDOM].pf</td>
                    <td class="border">FILE</td>
                    <td class="border">ALLOCATED</td>
                  </tr>
                </tbody>
              </table>
            </div>
          <h3 class="subsection"><a href="#SourceDetails-Prefetch" class="collapse" id="a-SourceDetails-Prefetch" onclick="showhide('SourceDetails-Prefetch');">-</a> <a name="SourceDetails-Prefetch">Prefetch</a></h3>
            <div class="section" id="div-SourceDetails-Prefetch">
              <table class="border">
                <thead>
                  <tr class="border">
                    <th class="border_header">#</th>
                    <th class="border_header">Prefetch File</th>
                    <th class="border_header">Process Name</th>
                    <th class="border_header">Process Path</th>
                    <th class="border_header">Information That Can Be Confirmed</th>
                  </tr>
                </thead>
                <tbody>
                  <tr class="border">
                    <td class="border" rowspan="1">1</td>
                    <td class="border">C:\Windows\Prefetch\NET1.EXE-[RANDOM].pf</td>
                    <td class="border">NET.EXE</td>
                    <td class="border">C:\WINDOWS\SYSTEM32\NET1.EXE</td>
                    <td class="border">Last Run Time (last execution date and time)</td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">2</td>
                    <td class="border">C:\Windows\Prefetch\NET.EXE-[RANDOM].pf</td>
                    <td class="border">NET.EXE</td>
                    <td class="border">C:\WINDOWS\SYSTEM32\NET.EXE</td>
                    <td class="border">Last Run Time (last execution date and time)</td>
                  </tr>
                </tbody>
              </table>
            </div>
        </div>
      <h2 class="section"><a href="#DestinationDetails" class="collapse" id="a-DestinationDetails" onclick="showhide('DestinationDetails');">-</a> <a name="DestinationDetails">Details: Destination Host</a></h2>
        <div class="section" id="div-DestinationDetails">
          <h3 class="subsection"><a href="#DestinationDetails-EventLogs" class="collapse" id="a-DestinationDetails-EventLogs" onclick="showhide('DestinationDetails-EventLogs');">-</a> <a name="DestinationDetails-EventLogs">Event Log</a></h3>
            <div class="section" id="div-DestinationDetails-EventLogs">
              <table class="border">
                <thead>
                  <tr class="border">
                    <th class="border_header">#</th>
                    <th class="border_header">Event Log</th>
                    <th class="border_header">Event ID</th>
                    <th class="border_header">Task Category</th>
                    <th class="border_header">Event Details</th>
                  </tr>
                </thead>
                <tbody>
                  <tr class="border">
                    <td class="border" rowspan="2">1</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (udp)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (high port)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (source host IP address)</li>
                      <li><span class="strong">DestinationIp/DestinationHostname/DestinationPort</span>: Destination IP address/Host name/Port number</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\lsass.exe)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (source host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
                      <li><span class="strong">SourceIp/SourceHostname/SourcePort</span>: Source IP address/Host name/Port number</li>
                      <li><span class="strong">SourcePort</span>: Source port number (389)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (Domain Controller host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (Domain Controller IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (389)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (source host)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (17=UDP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (inbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (Domain Controller)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">2</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (source host IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (source host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (high port)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (445)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (Domain Controller host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (Domain Controller IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (445)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (source host)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (System)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (inbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (Domain Controller)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">3</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (source host IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (C:\Windows\System32\lsass.exe)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (source host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (high port)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (88)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (Domain Controller host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (Domain Controller IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (88)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (source host)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (\device\harddiskvolume2\windows\system32\lsass.exe)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (inbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (Domain Controller)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4768</td>
                    <td class="border">Kerberos Authentication Service</td>
                    <td class="border">A Kerberos authentication ticket (TGT) was requested.<ul>
                      <li><span class="strong">Network Information &gt; Client Address</span>: Source IP address that requested the ticket (source host)</li>
                      <li><span class="strong">Account Information &gt; Supplied Realm Name</span>: Account domain (domain)</li>
                      <li><span class="strong">Additional Information &gt; Ticket Option</span>: Ticket settings (0x40810010)</li>
                      <li><span class="strong">Account Information &gt; Account Name</span>: Name of the account from which the ticket was requested (administrator)</li>
                      <li><span class="strong">Additional Information &gt; Result Code</span>: Ticket processing result (0x0)</li>
                      <li><span class="strong">Network Information &gt; Client Port</span>: Source port number of the ticket request (high port)</li>
                      <li><span class="strong">Account Information &gt; User ID</span>: SID of the account (SID of the administrator)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">4</td>
                    <td class="border">Security</td>
                    <td class="border">4769</td>
                    <td class="border">A Kerberos service ticket was requested</td>
                    <td class="border">A Kerberos service ticket was requested.<ul>
                      <li><span class="strong">Network Information &gt; Client Address</span>: Source IP address that requested the ticket (source host)</li>
                      <li><span class="strong">Account Information &gt; Account Domain</span>: Account domain (domain)</li>
                      <li><span class="strong">Account Information &gt; Account Name</span>: Name of the account from which the ticket was requested ([administrator]@[Domain])</li>
                      <li><span class="strong">Additional Information &gt; Ticket Option</span>: Ticket settings (0x40810000)</li>
                      <li><span class="strong">Additional Information &gt; Error Code</span>: Ticket processing result (0x0)</li>
                      <li><span class="strong">Service Information &gt; Service Name</span>: Ticket service name ([Domain Controller Host Name]$)</li>
                      <li><span class="strong">Account Information &gt; Logon GUID</span>: Session ID of the logon</li>
                      <li><span class="strong">Service Information &gt; Service ID</span>: SID of the service (SID of the standard user)</li>
                      <li><span class="strong">Network Information &gt; Client Port</span>: Source port number of the ticket request (high port)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4769</td>
                    <td class="border">A Kerberos service ticket was requested</td>
                    <td class="border">A Kerberos service ticket was requested.<ul>
                      <li><span class="strong">Network Information &gt; Client Address</span>: Source IP address that requested the ticket (source host)</li>
                      <li><span class="strong">Account Information &gt; Account Domain</span>: Account domain (domain)</li>
                      <li><span class="strong">Account Information &gt; Account Name</span>: Name of the account from which the ticket was requested ([administrator]@[Domain])</li>
                      <li><span class="strong">Additional Information &gt; Ticket Option</span>: Ticket settings (0x40810000)</li>
                      <li><span class="strong">Additional Information &gt; Error Code</span>: Ticket processing result (0x0)</li>
                      <li><span class="strong">Service Information &gt; Service Name</span>: Service name of the ticket (krbtgt)</li>
                      <li><span class="strong">Account Information &gt; Logon GUID</span>: Session ID of the logon</li>
                      <li><span class="strong">Service Information &gt; Service ID</span>: SID of the service (SID of the KDC service)</li>
                      <li><span class="strong">Network Information &gt; Client Port</span>: Source port number of the ticket request (high port)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">5</td>
                    <td class="border">Security</td>
                    <td class="border">4672</td>
                    <td class="border">Special Logon</td>
                    <td class="border">Privileges assigned to a new logon.<ul>
                      <li><span class="strong">Privileges</span>: Assigned privileges (SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege, SeEnableDelegationPrivilege)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SID of the administrator)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (administrator)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">6</td>
                    <td class="border">Security</td>
                    <td class="border">4624</td>
                    <td class="border">Logon</td>
                    <td class="border">An account was successfully logged on.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal) (0x0)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (S-1-0-0/-/-)</li>
                      <li><span class="strong">New Logon &gt; Logon ID/Logon GUID</span>: Session ID of the user who was logged on</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Logon Process</span>: Process used for logon (Kerberos)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number</li>
                      <li><span class="strong">New Logon &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who was logged on ([SID of Administrator]/[Administrator]/[Domain])</li>
                      <li><span class="strong">Logon Type</span>: Logon path, method, etc. (3=Network)</li>
                      <li><span class="strong">Network Information &gt; Workstation Name</span>: Name of the host that requested the logon</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Key Length</span>: Length of the key used for the authentication (0)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file (-)</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Authentication Package</span>: Authentication package used (Kerberos)</li>
                      <li><span class="strong">Network Information &gt; Source Network Address</span>: IP address that requested the logon</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the authentication (0x0)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">7</td>
                    <td class="border">Security</td>
                    <td class="border">5140</td>
                    <td class="border">File Sharing</td>
                    <td class="border">A network share object was accessed.<ul>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Shared Information &gt; Share Path</span>: Shared path</li>
                      <li><span class="strong">Network Information &gt; Source/Source Port</span>: Execution source host/Port number</li>
                      <li><span class="strong">Access Request Information &gt; Access</span>: Requested privileges (ReadData)</li>
                      <li><span class="strong">Shared Information &gt; Share Name</span>: Share name used (\*\IPC$)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool ([SID of Administrator]/[Administrator]/[Domain])</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5145</td>
                    <td class="border">Detailed File Share</td>
                    <td class="border">A network share object was checked to see whether the client can be granted the desired access.<ul>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Object Type</span>: Type of the created object (File)</li>
                      <li><span class="strong">Shared Information &gt; Share Path</span>: Shared path</li>
                      <li><span class="strong">Access Request Information &gt; Access</span>: Requested privilege</li>
                      <li><span class="strong">Shared Information &gt; Share Name</span>: Share name (\*\IPC$)</li>
                      <li><span class="strong">Network Information &gt; Source Address/Source Port</span>: Source IP address/Port number</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Shared Information &gt; Relative Target Name</span>: Relative target name from the share path (samr)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="8">8</td>
                    <td class="border">Security</td>
                    <td class="border">4661</td>
                    <td class="border">SAM</td>
                    <td class="border">A handle to an object was requested.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target object name (DN)</li>
                      <li><span class="strong">Access Request Information &gt; Access</span>: Requested privilege (DELETE)</li>
                      <li><span class="strong">Object &gt; Object Server</span>: SecurityAccount Manager (Security Account Manager)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C\Windows\System32\lsass.exe)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Target category (SAM_DOMAIN)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4661</td>
                    <td class="border">SAM</td>
                    <td class="border">A handle to an object was requested.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target object name (DN)</li>
                      <li><span class="strong">Access Request Information &gt; Access</span>: Requested privileges (ListAccounts)</li>
                      <li><span class="strong">Object &gt; Object Server</span>: SecurityAccount Manager (Security Account Manager)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle ({bf967a90-0de6-11d0-a285-00aa003049e2})</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Target category (SAM_DOMAIN)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4720</td>
                    <td class="border">User Account Management</td>
                    <td class="border">A user account was created.<ul>
                      <li><span class="strong">Attribute &gt; Old UAC Value</span>: Old UAC value for the user that was created (0x0)</li>
                      <li><span class="strong">Attribute &gt; User Account Control</span>: Account control for the user that was created</li>
                      <li><span class="strong">Attribute &gt; Account Expiration Date</span>: Date on which the created user account expires</li>
                      <li><span class="strong">Attribute &gt; Password Last Set</span>: Last set password for the created user</li>
                      <li><span class="strong">Attribute &gt; SID History</span>: SID history of the created user (-)</li>
                      <li><span class="strong">New Account &gt; Account Name</span>: Name of the created account (name of the added user)</li>
                      <li><span class="strong">Attribute &gt; Logon Time</span>: Time at which the created user logged on</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SID of the administrator)</li>
                      <li><span class="strong">Attribute &gt; New UAC Value</span>: New UAC value for the created user (0x15)</li>
                      <li><span class="strong">Attribute &gt; Profile Path</span>: Path to profile of the created user</li>
                      <li><span class="strong">Attribute &gt; User Principal Name</span>: Principal name of the created user (-)</li>
                      <li><span class="strong">Attribute &gt; Allowed Delegation Destination</span>: Delegation destination allowed for the created user (-)</li>
                      <li><span class="strong">New Account &gt; Security ID</span>: SID of the created user (SID of the general user)</li>
                      <li><span class="strong">Attribute &gt; Primary Group ID</span>: Primary group ID to which the created user belongs (513)</li>
                      <li><span class="strong">Attribute &gt; Display Name</span>: Display name for the created user</li>
                      <li><span class="strong">Attribute &gt; SAM Account Name</span>: SAM account name for the created user (added user name)</li>
                      <li><span class="strong">New Account &gt; Account Domain</span>: Domain to which the created user belongs (Domain)</li>
                      <li><span class="strong">Attribute &gt; User Workstation</span>: Workstation name for the created user</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (administrator)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                      <li><span class="strong">Additional Information &gt; Privileges</span>: Privilege information for the created user (-)</li>
                      <li><span class="strong">Attribute &gt; Home Directory</span>: Home directory for the created user</li>
                      <li><span class="strong">Attribute &gt; Script Path</span>: Script path for the created user</li>
                      <li><span class="strong">Attribute &gt; Home Drive</span>: Home drive for the created user</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Attribute &gt; User Parameter</span>: Parameter for the created user</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4722</td>
                    <td class="border">User Account Management</td>
                    <td class="border">A user account was enabled.<ul>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (administrator)</li>
                      <li><span class="strong">Target Account &gt; Account Domain</span>: Domain to which the enabled account belongs (Domain)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                      <li><span class="strong">Target Account &gt; Account Name</span>: Name of the enabled account (name of the added user)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SID of the administrator)</li>
                      <li><span class="strong">Target Account &gt; Security ID</span>: SID of the enabled user (SID of the general user)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4724</td>
                    <td class="border">User Account Management</td>
                    <td class="border">An attempt was made to reset an account password.<ul>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (administrator)</li>
                      <li><span class="strong">Target Account &gt; Account Domain</span>: Domain that the account for which an attempt was made to reset the password belongs to (Domain)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                      <li><span class="strong">Target Account &gt; Account Name</span>: Name of the account for which an attempt was made to reset the password (added user name)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SID of the administrator)</li>
                      <li><span class="strong">Target Account &gt; Security ID</span>: SID of the user for which an attempt was made to reset the password (SID of the general user)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4738</td>
                    <td class="border">User Account Management</td>
                    <td class="border">A user account was changed.<ul>
                      <li><span class="strong">Changed Attribute &gt; Home Drive</span>: Changed home drive of the user (-)</li>
                      <li><span class="strong">Target Account &gt; Account Name</span>: Changed name of the group (added user name)</li>
                      <li><span class="strong">Changed Attribute &gt; Display Name</span>: Changed display name of the user</li>
                      <li><span class="strong">Changed Attribute &gt; Script Path</span>: Changed path to the script of the user (-)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SID of the administrator)</li>
                      <li><span class="strong">Changed Attribute &gt; Allowed Delegation Destination</span>: Changed delegation destination allowed for the user (-)</li>
                      <li><span class="strong">Target Account &gt; Account Domain</span>: Changed domain to which the group belongs (Domain)</li>
                      <li><span class="strong">Changed Attribute &gt; User Workstation</span>: Changed name of workstation of the user (-)</li>
                      <li><span class="strong">Changed Attribute &gt; SAM Account Name</span>: Changed name of SAM account of the user (-)</li>
                      <li><span class="strong">Target Account &gt; Security ID</span>: Changed SID of the group (SID of the general user)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Changed Attribute &gt; SID History</span>: Changed history of SID of the user (-)</li>
                      <li><span class="strong">Changed Attribute &gt; Account Expiration Date</span>: Changed date on which the user account expires</li>
                      <li><span class="strong">Changed Attribute &gt; Password Last Set</span>: Changed password of the user that was last set (execution time)</li>
                      <li><span class="strong">Changed Attribute &gt; User Principal Name</span>: Changed principal name of the user (-)</li>
                      <li><span class="strong">Changed Attribute &gt; User Parameter</span>: Changed parameter of the user (-)</li>
                      <li><span class="strong">Changed Attribute &gt; Primary Group ID</span>: Changed primary group ID to which the user belongs (-)</li>
                      <li><span class="strong">Changed Attribute &gt; New UAC Value</span>: New UAC value for the changed user (0x10)</li>
                      <li><span class="strong">Changed Attribute &gt; Old UAC Value</span>: Old UAC value for the changed user (0x15)</li>
                      <li><span class="strong">Changed Attribute &gt; User Account Control</span>: Changed account control for the user (the account is enabled)</li>
                      <li><span class="strong">Changed Attribute &gt; Logon Time</span>: Changed time at which the user logged on (-)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (administrator)</li>
                      <li><span class="strong">Changed Attribute &gt; Home Directory</span>: Changed home directory of the user (-)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                      <li><span class="strong">Additional Information &gt; Privileges</span>: Changed privileges of the user (-)</li>
                      <li><span class="strong">Changed Attribute &gt; Profile Path</span>: Changed path to the profile of the user (-)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4658</td>
                    <td class="border">File System</td>
                    <td class="border">The handle to an object was closed.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\System32\lsass.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4634</td>
                    <td class="border">Logoff</td>
                    <td class="border">An account was logged off.<ul>
                      <li><span class="strong">Logon Type</span>: Logon path, method, etc. (3=Network)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool ([SID of Administrator]/[Administrator]/[Domain])</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the authentication</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">9</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (source host IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (System)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (source host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (high port)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (445)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (Domain Controller host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (Domain Controller IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (445)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (source host)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (System)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (inbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (Domain Controller)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">10</td>
                    <td class="border">Security</td>
                    <td class="border">4672</td>
                    <td class="border">Special Logon</td>
                    <td class="border">Privileges assigned to a new logon.<ul>
                      <li><span class="strong">Privileges</span>: Assigned privileges (SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege, SeEnableDelegationPrivilege)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">11</td>
                    <td class="border">Security</td>
                    <td class="border">4624</td>
                    <td class="border">Logon</td>
                    <td class="border">An account was successfully logged on.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (S-1-0-0/-/-)</li>
                      <li><span class="strong">New Logon &gt; Logon ID/Logon GUID</span>: Session ID of the user who was logged on</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Package Name (NTLM only)</span>: NTLM version (-)</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Logon Process</span>: Process used for logon (Kerberos)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number</li>
                      <li><span class="strong">New Logon &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who was logged on ([SID of Administrator]/[Administrator]/[Domain])</li>
                      <li><span class="strong">Logon Type</span>: Logon path, method, etc. (3=Network)</li>
                      <li><span class="strong">Network Information &gt; Workstation Name</span>: Name of the host that requested the logon</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Key Length</span>: Length of the key used for the authentication (0)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Authentication Package</span>: Authentication package used (Kerberos)</li>
                      <li><span class="strong">Network Information &gt; Source Network Address</span>: IP address that requested the logon</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the authentication</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">12</td>
                    <td class="border">Security</td>
                    <td class="border">5140</td>
                    <td class="border">File Sharing</td>
                    <td class="border">A network share object was accessed.<ul>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Shared Information &gt; Share Path</span>: Shared path</li>
                      <li><span class="strong">Network Information &gt; Source/Source Port</span>: Execution source host/Port number</li>
                      <li><span class="strong">Access Request Information &gt; Access</span>: Requested privileges (ReadData)</li>
                      <li><span class="strong">Shared Information &gt; Share Name</span>: Share name used (\*\IPC$)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool ([SID of Administrator]/[Administrator]/[Domain])</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host IP address)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5145</td>
                    <td class="border">Detailed File Share</td>
                    <td class="border">A network share object was checked to see whether the client can be granted the desired access.<ul>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Object Type</span>: Type of the created object (File)</li>
                      <li><span class="strong">Shared Information &gt; Share Path</span>: Shared path</li>
                      <li><span class="strong">Access Request Information &gt; Access</span>: Requested privilege</li>
                      <li><span class="strong">Shared Information &gt; Share Name</span>: Share name (\*\IPC$)</li>
                      <li><span class="strong">Network Information &gt; Source Address/Source Port</span>: Source IP address/Port number</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Shared Information &gt; Relative Target Name</span>: Relative target name from the share path (samr)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host IP address)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="5">13</td>
                    <td class="border">Security</td>
                    <td class="border">4661</td>
                    <td class="border">SAM</td>
                    <td class="border">A handle to an object was requested.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target object name (DN)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (administrator)</li>
                      <li><span class="strong">Access Request Information &gt; Access</span>: Requested privilege (DELETE)</li>
                      <li><span class="strong">Object &gt; Object Server</span>: SecurityAccount Manager (Security Account Manager)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\lsass.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SID of the administrator)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Target category (SAM_DOMAIN)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4661</td>
                    <td class="border">SAM</td>
                    <td class="border">A handle to an object was requested.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target object name (SID of the domain administrator group)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (administrator)</li>
                      <li><span class="strong">Access Request Information &gt; Access</span>: Requested privilege (DELETE)</li>
                      <li><span class="strong">Object &gt; Object Server</span>: SecurityAccount Manager (Security Account Manager)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\lsass.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SID of the administrator)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Target category (SAM_GROUP)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4728</td>
                    <td class="border">Security Group Management</td>
                    <td class="border">A member was added to a security-enabled global group.<ul>
                      <li><span class="strong">Group &gt; Security ID</span>: SID of the group to which a member was added (SID of the domain administrator group)</li>
                      <li><span class="strong">Group &gt; Group Domain</span>: Domain that the group to which a member was added belongs to (Domain)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (administrator)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                      <li><span class="strong">Member &gt; Security ID</span>: SID of the user who was added to the global group (SID of the created user)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SID of the administrator)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Member &gt; Account Name</span>: Name of the account that was added to the global group (CN=[Created User Name],CN=[OU],DC=[DN])</li>
                      <li><span class="strong">Group &gt; Group Name</span>: Name of the group to which a member was added (Domain Admins)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4737</td>
                    <td class="border">Security Group Management</td>
                    <td class="border">A security-enabled global group was changed.<ul>
                      <li><span class="strong">Changed Attribute &gt; SID History</span>: Changed history of the SID (-)</li>
                      <li><span class="strong">Group &gt; Security ID</span>: Changed SID of the group (SID of the domain administrator group)</li>
                      <li><span class="strong">Group &gt; Group Domain</span>: Changed domain to which the group belongs (Domain)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (administrator)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                      <li><span class="strong">Additional Information &gt; Privileges</span>: Changed privileges of the group (-)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SID of the administrator)</li>
                      <li><span class="strong">Changed Attribute &gt; SAM Account Name</span>: Changed name of the SAM account (-)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Group &gt; Group Name</span>: Changed name of the group (Domain Admins)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4658</td>
                    <td class="border">File System</td>
                    <td class="border">The handle to an object was closed.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\System32\lsass.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">14</td>
                    <td class="border">Security</td>
                    <td class="border">4634</td>
                    <td class="border">Logoff</td>
                    <td class="border">An account was logged off.<ul>
                      <li><span class="strong">Logon Type</span>: Logon path, method, etc. (3=Network)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool ([SID of Administrator]/[Administrator]/[Domain])</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the authentication</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">15</td>
                    <td class="border">Microsoft-Windows-Sysmon/Operational</td>
                    <td class="border">3</td>
                    <td class="border">Network connection detected (rule: NetworkConnect)</td>
                    <td class="border">Network connection detected.<ul>
                      <li><span class="strong">Protocol</span>: Protocol (tcp)</li>
                      <li><span class="strong">DestinationIp</span>: Destination IP address (source host IP address)</li>
                      <li><span class="strong">Image</span>: Path to the executable file (System)</li>
                      <li><span class="strong">DestinationHostname</span>: Destination host name (source host name)</li>
                      <li><span class="strong">ProcessGuid/ProcessId</span>: Process ID (4)</li>
                      <li><span class="strong">User</span>: Execute as user (NT AUTHORITY\SYSTEM)</li>
                      <li><span class="strong">DestinationPort</span>: Destination port number (high port)</li>
                      <li><span class="strong">SourcePort</span>: Source port number (445)</li>
                      <li><span class="strong">SourceHostname</span>: Source host name (Domain Controller host name)</li>
                      <li><span class="strong">SourceIp</span>: Source IP address (Domain Controller IP address)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5156</td>
                    <td class="border">Filtering Platform Connection</td>
                    <td class="border">The Windows Filtering Platform has allowed a connection.<ul>
                      <li><span class="strong">Network Information &gt; Destination Port</span>: Destination port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (445)</li>
                      <li><span class="strong">Network Information &gt; Destination Address</span>: Destination IP address (source host)</li>
                      <li><span class="strong">Network Information &gt; Protocol</span>: Protocol used (6=TCP)</li>
                      <li><span class="strong">Application Information &gt; Application Name</span>: Execution process (System)</li>
                      <li><span class="strong">Network Information &gt; Direction</span>: Communication direction (inbound)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (Domain Controller)</li>
                      <li><span class="strong">Application Information &gt; Process ID</span>: Process ID</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">16</td>
                    <td class="border">Security</td>
                    <td class="border">4672</td>
                    <td class="border">Special Logon</td>
                    <td class="border">Privileges assigned to a new logon.<ul>
                      <li><span class="strong">Privileges</span>: Assigned privileges (SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege, SeEnableDelegationPrivilege)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SID of the administrator)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (administrator)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">17</td>
                    <td class="border">Security</td>
                    <td class="border">4624</td>
                    <td class="border">Logon</td>
                    <td class="border">An account was successfully logged on.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool (S-1-0-0/-/-)</li>
                      <li><span class="strong">New Logon &gt; Logon ID/Logon GUID</span>: Session ID of the user who was logged on</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Logon Process</span>: Process used for logon (Kerberos)</li>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number</li>
                      <li><span class="strong">New Logon &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who was logged on ([SID of Administrator]/[Administrator]/[Domain])</li>
                      <li><span class="strong">Logon Type</span>: Logon path, method, etc. (3=Network)</li>
                      <li><span class="strong">Network Information &gt; Workstation Name</span>: Name of the host that requested the logon</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Key Length</span>: Length of the key used for the authentication (0)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Path to the executable file</li>
                      <li><span class="strong">Detailed Authentication Information &gt; Authentication Package</span>: Authentication package used (Kerberos)</li>
                      <li><span class="strong">Network Information &gt; Source Network Address</span>: IP address that requested the logon</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the authentication</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">18</td>
                    <td class="border">Security</td>
                    <td class="border">5140</td>
                    <td class="border">File Sharing</td>
                    <td class="border">A network share object was accessed.<ul>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Shared Information &gt; Share Path</span>: Shared path</li>
                      <li><span class="strong">Network Information &gt; Source/Source Port</span>: Execution source host/Port number</li>
                      <li><span class="strong">Access Request Information &gt; Access</span>: Requested privileges (ReadData)</li>
                      <li><span class="strong">Shared Information &gt; Share Name</span>: Share name used (\*\IPC$)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool ([SID of Administrator]/[Administrator]/[Domain])</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host IP address)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">5145</td>
                    <td class="border">Detailed File Share</td>
                    <td class="border">A network share object was checked to see whether the client can be granted the desired access.<ul>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Object Type</span>: Type of the created object (File)</li>
                      <li><span class="strong">Shared Information &gt; Share Path</span>: Shared path</li>
                      <li><span class="strong">Access Request Information &gt; Access</span>: Requested privilege</li>
                      <li><span class="strong">Shared Information &gt; Share Name</span>: Share name (\*\IPC$)</li>
                      <li><span class="strong">Network Information &gt; Source Address/Source Port</span>: Source IP address/Port number</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Shared Information &gt; Relative Target Name</span>: Relative target name from the share path (samr)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host IP address)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="3">19</td>
                    <td class="border">Security</td>
                    <td class="border">4661</td>
                    <td class="border">SAM</td>
                    <td class="border">A handle to an object was requested.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target object name (DC=[DN])</li>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (administrator)</li>
                      <li><span class="strong">Access Request Information &gt; Access</span>: Requested privilege (DELETE)</li>
                      <li><span class="strong">Object &gt; Object Server</span>: SecurityAccount Manager (Security Account Manager)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\lsass.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SID of the administrator)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Target category (SAM_DOMAIN)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4661</td>
                    <td class="border">SAM</td>
                    <td class="border">A handle to an object was requested.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Audit Success</span>: Success or failure (access successful)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Object &gt; Object Name</span>: Target object name (CN=Builtin,DC=[DN])</li>
                      <li><span class="strong">Access Request Information &gt; Access</span>: Requested privilege (DELETE)</li>
                      <li><span class="strong">Object &gt; Object Server</span>: SecurityAccount Manager (Security Account Manager)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that closed the handle (C:\Windows\System32\lsass.exe)</li>
                      <li><span class="strong">Object &gt; Object Type</span>: Target category (SAM_DOMAIN)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4658</td>
                    <td class="border">File System</td>
                    <td class="border">The handle to an object was closed.<ul>
                      <li><span class="strong">Process Information &gt; Process ID</span>: Process ID (hexadecimal)</li>
                      <li><span class="strong">Process Information &gt; Process Name</span>: Name of the process that requested the object (C:\Windows\System32\lsass.exe)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      <li><span class="strong">Object &gt; Handle ID</span>: ID of the relevant handle (handle obtained with Event ID 4656)</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="2">20</td>
                    <td class="border">Security</td>
                    <td class="border">5145</td>
                    <td class="border">Detailed File Share</td>
                    <td class="border">A network share object was checked to see whether the client can be granted the desired access.<ul>
                      <li><span class="strong">Network Information &gt; Source Port</span>: Source port number (high port)</li>
                      <li><span class="strong">Network Information &gt; Object Type</span>: Type of the created object (File)</li>
                      <li><span class="strong">Shared Information &gt; Share Path</span>: Shared path</li>
                      <li><span class="strong">Access Request Information &gt; Access</span>: Requested privilege</li>
                      <li><span class="strong">Shared Information &gt; Share Name</span>: Share name (\*\IPC$)</li>
                      <li><span class="strong">Network Information &gt; Source Address/Source Port</span>: Source IP address/Port number</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool</li>
                      <li><span class="strong">Shared Information &gt; Relative Target Name</span>: Relative target name from the share path (samr)</li>
                      <li><span class="strong">Network Information &gt; Source Address</span>: Source IP address (source host IP address)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <!-- rowspan -->
                    <td class="border">Security</td>
                    <td class="border">4726</td>
                    <td class="border">User Account Management</td>
                    <td class="border">A user account was deleted.<ul>
                      <li><span class="strong">Subject &gt; Account Name</span>: Name of the account that executed the tool (administrator)</li>
                      <li><span class="strong">Target Account &gt; Account Domain</span>: Domain that the account for which an attempt was made to reset the password belongs to (Domain)</li>
                      <li><span class="strong">Subject &gt; Account Domain</span>: Domain to which the account belongs (domain)</li>
                      <li><span class="strong">Target Account &gt; Account Name</span>: Name of the account for which an attempt was made to reset the password (deleted user name)</li>
                      <li><span class="strong">Subject &gt; Security ID</span>: SID of the user who executed the tool (SID of the administrator)</li>
                      <li><span class="strong">Target Account &gt; Security ID</span>: SID of the user for which an attempt was made to reset the password (SID of the general user)</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the process</li>
                      </ul></td>
                  </tr>
                  <tr class="border">
                    <td class="border" rowspan="1">21</td>
                    <td class="border">Security</td>
                    <td class="border">4634</td>
                    <td class="border">Logoff</td>
                    <td class="border">An account was logged off.<ul>
                      <li><span class="strong">Logon Type</span>: Logon path, method, etc. (3=Network)</li>
                      <li><span class="strong">Subject &gt; Security ID/Account Name/Account Domain</span>: SID/Account name/Domain of the user who executed the tool ([SID of Administrator]/[Administrator]/[Domain])</li>
                      <li><span class="strong">Subject &gt; Logon ID</span>: Session ID of the user who executed the authentication</li>
                      </ul></td>
                  </tr>
                </tbody>
              </table>
            </div>
        </div>
        <hr class="section_divider">
      <h2 class="section"><a href="#Packets" class="collapse" id="a-Packets" onclick="showhide('Packets');">-</a> <a name="Packets">Packet Capture</a></h2>
        <div class="section" id="div-Packets">
          <table class="border">
            <thead>
              <tr class="border">
                <th class="border_header">#</th>
                <th class="border_header">Process</th>
                <th class="border_header">Source Host</th>
                <th class="border_header">Source Port Number</th>
                <th class="border_header">Destination Host</th>
                <th class="border_header">Destination Port Number</th>
                <th class="border_header">Protocol/Application</th>
              </tr>
            </thead>
            <tbody>
              <tr class="border">
                <td class="border" rowspan="2">&quot;net group /add&quot;: 16</td>
                <td class="border">LookupNames request (the account name to be added to this packet is written as &quot;Names&quot;)</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">LookupNames response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="2">&quot;net user /add&quot;: 8</td>
                <td class="border">Bind: call_id: 2, Fragment: Single, 3 context items: SAMR V1.0 (32bit NDR), SAMR V1.0 (64bit NDR), SAMR V1.0 (6cb71c2c</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">DCERPC</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Write Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="2">&quot;net user /add&quot;: 9</td>
                <td class="border">Read Request Len:1024 Off:0 File: samr</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Bind_ack: call_id: 2, Fragment: Single, max_xmit: 4280 max_recv: 4280, 3 results: Provider rejection, Acceptance, Negotiate ACK</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">DCERPC</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="2">&quot;net user /add&quot;: 2</td>
                <td class="border">Session Setup Request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Session Setup Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="2">&quot;net user /add&quot;: 3</td>
                <td class="border">Tree Connect Request Tree: \\[Domain Controller]\IPC$</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Tree Connect Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="2">&quot;net user /add&quot;: 1</td>
                <td class="border">Negotiate Protocol Request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Negotiate Protocol Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="2">&quot;net user /add&quot;: 6</td>
                <td class="border">Create Request File: samr</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Create Response File: samr</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="2">&quot;net user /add&quot;: 7</td>
                <td class="border">GetInfo Request FILE_INFO/SMB2_FILE_STANDARD_INFO File: samr</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">GetInfo Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="2">&quot;net user /add&quot;: 4</td>
                <td class="border">Ioctl Request FSCTL_VALIDATE_NEGOTIATE_INFO</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Ioctl Response FSCTL_VALIDATE_NEGOTIATE_INFO</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="2">&quot;net user /add&quot;: 5</td>
                <td class="border">Ioctl Request FSCTL_QUERY_NETWORK_INTERFACE_INFO</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Ioctl Response FSCTL_QUERY_NETWORK_INTERFACE_INFO</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="2">&quot;net group /add&quot;: 19</td>
                <td class="border">Close Request File: samr</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Close Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="2">&quot;net group /add&quot;: 18</td>
                <td class="border">Close request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Close response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="35">&quot;net user /delete&quot;: 3</td>
                <td class="border">Create Request File: samr</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Create Response File: samr</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">GetInfo Request FILE_INFO/SMB2_FILE_STANDARD_INFO File: samr</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">GetInfo Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Bind: call_id: 2, Fragment: Single, 3 context items: SAMR V1.0 (32bit NDR), SAMR V1.0 (64bit NDR), SAMR V1.0 (6cb71c2c</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">DCERPC</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Write Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Read Request Len:1024 Off:0 File: samr</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Bind_ack: call_id: 2, Fragment: Single, max_xmit: 4280 max_recv: 4280, 3 results: Provider rejection, Acceptance, Negotiate ACK</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">DCERPC</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Connect5 request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Connect5 response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">EnumDomains request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">EnumDomains response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">LookupDomain request,</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">LookupDomain response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">OpenDomain request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">OpenDomain response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">OpenDomain request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">OpenDomain response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">LookupNames request (the account name to be deleted from this packet is written as &quot;Names&quot;)</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">LookupNames response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">OpenUser request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">OpenUser response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">RemoveMemberFromForeignDomain request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">RemoveMemberFromForeignDomain response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">DeleteUser request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Ioctl Response, Error: STATUS_PENDING</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">DeleteUser response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Close request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Close response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Close request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Close response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Close request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Close response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Close Request File: samr</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Close Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="2">&quot;net group /add&quot;: 20</td>
                <td class="border">Tree Disconnect Request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Tree Disconnect Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="2">&quot;net group /add&quot;: 21</td>
                <td class="border">Session Logoff Request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Session Logoff Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="40">&quot;net user /delete&quot;: 2</td>
                <td class="border">Create Request File: samr</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Create Response File: samr</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">GetInfo Request FILE_INFO/SMB2_FILE_STANDARD_INFO File: samr</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">GetInfo Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Bind: call_id: 2, Fragment: Single, 3 context items: SAMR V1.0 (32bit NDR), SAMR V1.0 (64bit NDR), SAMR V1.0 (6cb71c2c</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">DCERPC</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Write Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Read Request Len:1024 Off:0 File: samr</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Bind_ack: call_id: 2, Fragment: Single, max_xmit: 4280 max_recv: 4280, 3 results: Provider rejection, Acceptance, Negotiate ACK</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">DCERPC</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Connect5 request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Connect5 response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">EnumDomains request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">EnumDomains response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">LookupDomain request,</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">LookupDomain response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">OpenDomain request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">OpenDomain response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">OpenDomain request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">OpenDomain response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">LookupNames request (the account name to be deleted from this packet is written as &quot;Names&quot;)</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">LookupNames response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">OpenUser request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">OpenUser response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">QueryUserInfo request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">QueryUserInfo response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">QuerySecurity request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">QuerySecurity response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">GetGroupsForUser request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">GetGroupsForUser response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">GetAliasMembership request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">GetAliasMembership response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Close request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Close response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Close request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Close response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Close request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Close response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Close request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Close response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Close Request File: samr</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Close Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="2">&quot;net user /add&quot;: 21</td>
                <td class="border">Session Logoff Request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Session Logoff Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="2">&quot;net user /add&quot;: 20</td>
                <td class="border">Tree Disconnect Request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Tree Disconnect Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="4">&quot;net user /delete&quot;: 4</td>
                <td class="border">Tree Disconnect Request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Tree Disconnect Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Session Logoff Request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Session Logoff Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="2">&quot;net group /add&quot;: 9</td>
                <td class="border">Read Request Len:1024 Off:0 File: samr</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Bind_ack: call_id: 2, Fragment: Single, max_xmit: 4280 max_recv: 4280, 3 results: Provider rejection, Acceptance, Negotiate ACK</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">DCERPC</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="2">&quot;net group /add&quot;: 8</td>
                <td class="border">Bind: call_id: 2, Fragment: Single, 3 context items: SAMR V1.0 (32bit NDR), SAMR V1.0 (64bit NDR), SAMR V1.0 (6cb71c2c</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">DCERPC</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Write Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="10">&quot;net user /delete&quot;: 1</td>
                <td class="border">Negotiate Protocol Request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Negotiate Protocol Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Session Setup Request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Session Setup Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Tree Connect Request Tree: \\[Domain Controller]\IPC$</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Tree Connect Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Ioctl Request FSCTL_VALIDATE_NEGOTIATE_INFO</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Ioctl Response FSCTL_VALIDATE_NEGOTIATE_INFO</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Ioctl Request FSCTL_QUERY_NETWORK_INTERFACE_INFO</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Ioctl Response FSCTL_QUERY_NETWORK_INTERFACE_INFO</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="2">&quot;net group /add&quot;: 5</td>
                <td class="border">Ioctl Request FSCTL_QUERY_NETWORK_INTERFACE_INFO</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Ioctl Response FSCTL_QUERY_NETWORK_INTERFACE_INFO</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="2">&quot;net group /add&quot;: 4</td>
                <td class="border">Ioctl Request FSCTL_VALIDATE_NEGOTIATE_INFO</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Ioctl Response FSCTL_VALIDATE_NEGOTIATE_INFO</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="2">&quot;net group /add&quot;: 7</td>
                <td class="border">GetInfo Request FILE_INFO/SMB2_FILE_STANDARD_INFO File: samr</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">GetInfo Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="2">&quot;net group /add&quot;: 6</td>
                <td class="border">Create Request File: samr</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Create Response File: samr</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="2">&quot;net group /add&quot;: 1</td>
                <td class="border">Negotiate Protocol Request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Negotiate Protocol Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="2">&quot;net group /add&quot;: 3</td>
                <td class="border">Tree Connect Request Tree: \\[Domain Controller]\IPC$</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Tree Connect Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="2">&quot;net group /add&quot;: 2</td>
                <td class="border">Session Setup Request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Session Setup Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="2">&quot;net group /add&quot;: 11</td>
                <td class="border">EnumDomains request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">EnumDomains response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="2">&quot;net group /add&quot;: 10</td>
                <td class="border">Connect5 request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Connect5 response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="2">&quot;net group /add&quot;: 13</td>
                <td class="border">OpenDomain request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">OpenDomain response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="2">&quot;net group /add&quot;: 12</td>
                <td class="border">LookupDomain request,</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">LookupDomain response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="2">&quot;net group /add&quot;: 15</td>
                <td class="border">OpenGroup request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">OpenGroup response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="2">&quot;net group /add&quot;: 14</td>
                <td class="border">LookupNames request (the group name to be added to this packet is written as &quot;Names&quot;)</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">LookupNames response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="2">&quot;net user /add&quot;: 18</td>
                <td class="border">Close request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Close response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="2">&quot;net user /add&quot;: 19</td>
                <td class="border">Close Request File: samr</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Close Response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="3">&quot;net group /add&quot;: 17</td>
                <td class="border">AddGroupMember request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Ioctl Response, Error: STATUS_PENDING</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">AddGroupMember response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="2">&quot;net user /add&quot;: 10</td>
                <td class="border">Connect5 request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Connect5 response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="2">&quot;net user /add&quot;: 11</td>
                <td class="border">EnumDomains request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">EnumDomains response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="2">&quot;net user /add&quot;: 12</td>
                <td class="border">LookupDomain request,</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">LookupDomain response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="2">&quot;net user /add&quot;: 13</td>
                <td class="border">OpenDomain request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">OpenDomain response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="3">&quot;net user /add&quot;: 14</td>
                <td class="border">CreateUser2 request, (In the packet, the account name to be added is written as &quot;Account Name&quot;.)</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Ioctl Response, Error: STATUS_PENDING</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">CreateUser2 response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="2">&quot;net user /add&quot;: 15</td>
                <td class="border">QueryUserInfo request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">QueryUserInfo response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="2">&quot;net user /add&quot;: 16</td>
                <td class="border">GetUserPwInfo request</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">GetUserPwInfo response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <td class="border" rowspan="3">&quot;net user /add&quot;: 17</td>
                <td class="border">SetUserInfo2 request[Malformed Packet] (In the packet, the password of the added account is sent, though it lacks readability.)</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">SAMR</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">Ioctl Response, Error: STATUS_PENDING</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SMB2</td>
              </tr>
              <tr class="border">
                <!-- rowspan -->
                <td class="border">SetUserInfo2 response</td>
                <td class="border">[Destination Host]</td>
                <td class="border">445</td>
                <td class="border">[Source Host]</td>
                <td class="border">[High Port]</td>
                <td class="border">SAMR</td>
              </tr>
            </tbody>
          </table>
          </div>
        <hr class="section_divider">
      <h2 class="section"><a href="#Notes" class="collapse" id="a-Notes" onclick="showhide('Notes');">-</a> <a name="Notes">Remarks</a></h2>
        <div class="section" id="div-Notes">
          <ul>
            <li>In this research, a user was added, a user was added to a group, and a user was deleted.</li>
          </ul>
        </div>
  </body>
</html>
